California appellate courts are clarifying potential liability under California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq. (“CMIA”) of health care providers, health plans, pharmaceutical companies and others for the unauthorized disclosure of medical information. The CMIA provides that an individual may recover $1,000 nominal damages (plus actual damages if any) from a health care provider or other covered party that negligently releases that individual’s medical information. In data breaches involving large numbers of records and individuals, the potential liability can be enormous even without proof of any damages.

Eisenhower Medical Center Case -

In a significant decision for health care providers and other holders of medical information, the California Court of Appeal recently decided that the CMIA’s civil liability provisions do not cover the theft of a hospital index containing personal identifying information unless the index also includes information relating to medical history, mental or physical condition, or treatment. Eisenhower Medical Center v. Superior Court (Malanche), No. E058378, 2014 WL 2115216, at *1 (Cal. Ct. App. May 21, 2014). In Eisenhower, the plaintiffs sought damages for a class of over 500,000 individuals, which could amount to total nominal damages of over $500 million without any showing of actual injury. While the CMIA continues to impose significant obligations upon those within its coverage, this decision dramatically reduces the liability risk arising from the release of one type of information.